CVE-2025-4949
Severity CVSS v4.0:
MEDIUM
Type:
CWE-611
Improper Restriction of XML External Entity Reference ('XXE')
Publication date:
21/05/2025
Last modified:
05/01/2026
Description
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
Impact
Base Score 4.0
6.80
Severity 4.0
MEDIUM
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* | 5.13.4 (excluding) | |
| cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* | 6.0.0 (including) | 6.10.1.202505221210 (excluding) |
| cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* | 7.0.0 (including) | 7.0.1.202505221510 (excluding) |
| cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* | 7.1.0 (including) | 7.1.1.202505221757 (excluding) |
| cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* | 7.2.0 (including) | 7.2.1.202505142326 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/64
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281
- https://projects.eclipse.org/projects/technology.jgit/releases/5.13.4
- https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1
- https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1
- https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1
- https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281